Received: by 2002:a5d:9c59:0:0:0:0:0 with SMTP id 25csp1345529iof; Tue, 7 Jun 2022 03:53:35 -0700 (PDT) X-Google-Smtp-Source: ABdhPJzd+boMQYKTfmbHRhf0B9zqg+5b8/NiguBnNUigdgTsRs9iZ1fBikeC2VVaUpRvQJII0crP X-Received: by 2002:a17:902:cec9:b0:167:8ce9:ec34 with SMTP id d9-20020a170902cec900b001678ce9ec34mr5071448plg.147.1654599215314; Tue, 07 Jun 2022 03:53:35 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1654599215; cv=none; d=google.com; s=arc-20160816; b=xExTfXynhGUj7rcvlq5Paj1Mql7dJ9js3EQW/cPfeOuRu/S/n32FRetFUd4sgrc2KP W5Szfc4V/yZguq5m0b9cALxeWL670LG2+b0lraB1ZEjUHNLSQASniGKqLK+gwc4+7pzu pbjbhA8518OgGvzi7wG5wKrt6AxIwhC2WgqOC7J71W/DVKarf8qRlvMTQ/yzU2754W7a xQkCxeo7mpmFa8EB2bDp+sRubifhsWnd3DvUsp0veYeFmvn/xdVCEoKDYlduMCFO2k4K vWt0jf3KiTVmUhVBgFHnnfy9M3KSMhvX4pZheuH7Q+Q4Y+d4DeFWZnKABdBWHxiU+Im5 Fj0w== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:cc:to:from:subject:mime-version:message-id:date :dkim-signature; bh=vp9jkXdHUO1DqPeSha9qftW6M3HjLENX1BSG2nBOYec=; b=pE9ST7mz05marFMvRbC/ahxqmHzkmKY1+6nNPoY8800V1qdOpgYGDM9IVsAon0wa3/ 2QKGhaPrW6++yH4HEyFIqFjCd2V5dMv/tm228GhWatsCB8x+JQGDPXuRSJQu4KpUkpEF wc6TW1mPJ4EYCj6Cl9k+i6bfbzF4jIwKTPTzv6BflzGR8v4cQYI5qHzXa3uE2H+c8VPD GXjjTky6ioQwHdNzowVQjmSOspkQS+P7Ot5nqfeptUSo70KxnXwEU/AEdJFQQcvPS99B egqY5f2zQbNttmZqbi9HI1gVU6V5IhIR90MTjWbS9uua+wNARXb/8HajRJKV4/MxOz8K yOmw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@google.com header.s=20210112 header.b="L/d7E0ru"; spf=pass (google.com: domain of linux-bluetooth-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-bluetooth-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id i18-20020a17090ad35200b001e0b16a6bb9si22432098pjx.159.2022.06.07.03.53.05; Tue, 07 Jun 2022 03:53:35 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-bluetooth-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@google.com header.s=20210112 header.b="L/d7E0ru"; spf=pass (google.com: domain of linux-bluetooth-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-bluetooth-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S241241AbiFGKkl (ORCPT + 99 others); Tue, 7 Jun 2022 06:40:41 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:55100 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S241304AbiFGKkW (ORCPT ); Tue, 7 Jun 2022 06:40:22 -0400 Received: from mail-wm1-x34a.google.com (mail-wm1-x34a.google.com [IPv6:2a00:1450:4864:20::34a]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 98CBDE27BE for ; Tue, 7 Jun 2022 03:40:20 -0700 (PDT) Received: by mail-wm1-x34a.google.com with SMTP id u12-20020a05600c19cc00b0038ec265155fso12595045wmq.6 for ; Tue, 07 Jun 2022 03:40:20 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20210112; h=date:message-id:mime-version:subject:from:to:cc; bh=vp9jkXdHUO1DqPeSha9qftW6M3HjLENX1BSG2nBOYec=; b=L/d7E0ruhw+z2PEX2oHfo6yWRopH97esndR0q5+CmlZeJcbqdrUV8/COiJxOtIG0mm uYwk+VyPn16RgA4huLOrZrZsXIOaCruMp49r6YxJBKthhqGSZVrcrXq3PbT4xtHWV6eU aUqXBTKpn5cHoj6AVfsSTU/PGYHPETZtbWXB/ghILI84Y8mvyJgnnCJNcA4HbhmN4DsE RYLEcz0t08E8DrBIIZ4JUfbmd65v7ZrH0y/k8WU3/PMgrCBj8jsCtq70X/5K4CD42JPY 2a5dsw7c0NDzrOcLlNqWxsmUwmtOrOCrT1qaKzFBilsVDLx79rkdiI/Fvo976sYI3ojk oJAQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:date:message-id:mime-version:subject:from:to:cc; bh=vp9jkXdHUO1DqPeSha9qftW6M3HjLENX1BSG2nBOYec=; b=ACPPjFO5775re6CdPOfpH1CxREgmzDn3YJXRRtFA+1xK3IgNSUr8nmChQ0rTGbj25J RlgmikTqq6qnVKxXjp+S7iP58Xxy7UAime7fFeCCeAALFvzfRf9yktk6ZgyQCmkJ/eHg hPWf2FBiOCaqk8SMwLkKqeBuKdmh3w1cwZxycUjMMDihCcNZH6bP7UsNyvpcfLsIU0VC Ys0UVzH47NbWAbI/HEA3FtGf1r7KwaEPRqE/Oire/xulf+bN+MYRF2/lQek4MSobaV3S X6in1aEq97ytPRp4QxTcKUfGEo/hDN2U17ajOhDSdTneEgbSsDqgAnyNvJa1uAcQT3A/ J/xA== X-Gm-Message-State: AOAM530LElM07/pqKFgdUUwCaMJvYOUQiKtZjGinY+AIHzQAeV1N7Sk/ R35InD3BJ0Imv105HOE6TiHpIN3XFig= X-Received: from rax.c.googlers.com ([fda3:e722:ac3:cc00:28:9cb1:c0a8:2a98]) (user=poprdi job=sendgmr) by 2002:a7b:cd83:0:b0:39c:46d2:6ebb with SMTP id y3-20020a7bcd83000000b0039c46d26ebbmr17251855wmj.187.1654598419076; Tue, 07 Jun 2022 03:40:19 -0700 (PDT) Date: Tue, 7 Jun 2022 10:40:15 +0000 Message-Id: <20220607104015.2126118-1-poprdi@google.com> Mime-Version: 1.0 X-Mailer: git-send-email 2.36.1.255.ge46751e96f-goog Subject: [PATCH v2] Bluetooth: Collect kcov coverage from hci_rx_work From: Tamas Koczka To: Marcel Holtmann Cc: Johan Hedberg , Luiz Augusto von Dentz , "David S. Miller" , Eric Dumazet , Jakub Kicinski , Paolo Abeni , linux-bluetooth@vger.kernel.org, netdev@vger.kernel.org, linux-kernel@vger.kernel.org, theflow@google.com, nogikh@google.com, Tamas Koczka Content-Type: text/plain; charset="UTF-8" X-Spam-Status: No, score=-9.6 required=5.0 tests=BAYES_00,DKIMWL_WL_MED, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_NONE, SPF_HELO_NONE,SPF_PASS,T_SCC_BODY_TEXT_LINE,USER_IN_DEF_DKIM_WL autolearn=unavailable autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-bluetooth@vger.kernel.org Annotate hci_rx_work() with kcov_remote_start() and kcov_remote_stop() calls, so remote KCOV coverage is collected while processing the rx_q queue which is the main incoming Bluetooth packet queue. Coverage is associated with the thread which created the packet skb. The collected extra coverage helps kernel fuzzing efforts in finding vulnerabilities. Signed-off-by: Tamas Koczka --- Changelog since v1: - add comment about why kcov_remote functions are called v1: https://lore.kernel.org/all/20220517094532.2729049-1-poprdi@google.com/ net/bluetooth/hci_core.c | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) diff --git a/net/bluetooth/hci_core.c b/net/bluetooth/hci_core.c index 45c2dd2e1590..0af43844c55a 100644 --- a/net/bluetooth/hci_core.c +++ b/net/bluetooth/hci_core.c @@ -29,6 +29,7 @@ #include #include #include +#include #include #include #include @@ -3780,7 +3781,14 @@ static void hci_rx_work(struct work_struct *work) BT_DBG("%s", hdev->name); - while ((skb = skb_dequeue(&hdev->rx_q))) { + /* The kcov_remote functions used for collecting packet parsing + * coverage information from this background thread and associate + * the coverage with the syscall's thread which originally injected + * the packet. This helps fuzzing the kernel. + */ + for (; (skb = skb_dequeue(&hdev->rx_q)); kcov_remote_stop()) { + kcov_remote_start_common(skb_get_kcov_handle(skb)); + /* Send copy to monitor */ hci_send_to_monitor(hdev, skb); -- 2.36.1.255.ge46751e96f-goog